CVE-2026-35452
Received Received - Intake

Unauthorized Log Disclosure in WWBN AVideo CloneSite Plugin

Vulnerability report for CVE-2026-35452, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-06

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/CloneSite/client.log.php endpoint serves the clone operation log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces User::isAdmin(). The log contains internal filesystem paths, remote server URLs, and SSH connection metadata.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-06
Last Modified
2026-04-14
Generated
2026-07-06
AI Q&A
2026-04-07
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in WWBN AVideo versions 26.0 and prior, specifically in the CloneSite plugin. The endpoint plugin/CloneSite/client.log.php serves the clone operation log file without requiring any authentication, unlike other endpoints in the same plugin directory which require admin privileges. This log file contains sensitive information such as internal filesystem paths, remote server URLs, and SSH connection metadata.

Impact Analysis

Because the clone operation log file is accessible without authentication, an attacker can obtain sensitive internal information about the system. This includes filesystem paths, remote server URLs, and SSH connection details, which could be used to facilitate further attacks, reconnaissance, or unauthorized access.

Compliance Impact

The vulnerability allows unauthenticated access to a log file containing internal filesystem paths, remote server URLs, and SSH connection metadata. This exposure of potentially sensitive internal information could lead to non-compliance with data protection standards such as GDPR and HIPAA, which require safeguarding sensitive data and controlling access to it.

However, the provided information does not explicitly state the impact on compliance with these standards.

Detection Guidance

This vulnerability can be detected by checking if the plugin/CloneSite/client.log.php endpoint is accessible without authentication on your WWBN AVideo installation. Since this endpoint serves the clone operation log file without requiring admin privileges, you can attempt to access it directly via HTTP requests.

  • Use curl or wget to request the URL: curl -I http://your-avideo-domain/plugin/CloneSite/client.log.php
  • Check if the response status is 200 OK and if the content contains internal filesystem paths, remote server URLs, or SSH connection metadata.
  • Scan web server logs or use web vulnerability scanners to identify unauthenticated access to this endpoint.
Mitigation Strategies

To mitigate this vulnerability immediately, restrict access to the plugin/CloneSite/client.log.php endpoint to authorized users only.

  • Apply authentication checks similar to other endpoints in the CloneSite plugin directory, enforcing User::isAdmin() or equivalent.
  • If possible, restrict access to this endpoint via web server configuration (e.g., IP whitelisting or authentication).
  • Update WWBN AVideo to a version later than 26.0 where this issue is fixed.
  • Avoid exposing sensitive log files publicly to prevent leakage of internal filesystem paths and SSH metadata.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35452. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart